Chris Croughton wrote: > On Sat, Jan 14, 2006 at 04:09:07PM +0000, Kevin Donnelly wrote: > > Yes, being open has some advantages, and more people /can/ look at it, > but who has the time? How many Linux users have looked at any of the > kernel source code at all, let alone the applications?
Seriously looked at large chunks of the Linux kernel code? Probably only several thousand, or low tens of thousands. It is also extensively analysed using static analysis tools. The kernel is the wrong example, large well known bits of code like the kernel get a relatively solid going over. Indeed people developing software tools often look for large, well known code bases like the Linux kernel. The WMF was due to an API design issue, and that kind of error could occur readily in free software, especially code that wasn't developed under keen open scrutiny, but perhaps became free for other reasons. I certainly think that the core components of many successful free software projects are often better designed than proprietary equivalents, but I think Chris is right that many eyes don't always help in these areas, especially on fringe projects, since even spotting an issue of this type isn't always sufficient, sometimes these are the most difficult to fix. Similarly those looking for bloat in some of the desktop projects seem to have no trouble finding stuff that is hideous. However I do think that in areas such the static analysis of source code, free software projects are already well ahead, and it wouldn't take much effort to improve on this situation. I think the big pluses are in; backward compatibility (we can always recompile and fix old code when needed, where as if Word Perfect needs just a minor tweak for Vista, someone other than Microsoft will have to do it). distribution where Microsoft and Apple are just getting to the point where they can distribute fixes to their own code sensible, the free software distros have this pretty much fully automated, from one packager to the whole world. It is also easy to forget what a desparate state the MS Windows desktop is in. It is impossible to reasonably secure the common home Microsoft desktop without making it unuseable, or at least very unfriendly. Updating software, antivirus, and other antimalware tools is an unreliable, and painful process. It is a mistake to think one needs to be perfect to do better in security. Absolute security is a myth, just as "bugless" code is a utopia that will never be reached. Free software should look to exploit its advantages to deploy better security. I mean if we enhance say the compiler with a security feature, recompiling everything is slow, but not exactly difficult. As to the WMF vulnerability being intentional, I think Mr Gibson gets some strange ideas at times. If Microsoft (or a developer there) wanted a backdoor in the code (or the NSA wanted one) they could put it in, along with the flight simulator game, and other hidden garbage, it isn't as if anyone checks their source code terribly closely as far as we can tell. Heck even Linux has implemented some screwy APIs from POSIX and such like in the interests of "compatibility", despite Linus usually taking the view that such stuff shouldn't go in. _______________________________________________ Fsfe-uk mailing list [email protected] http://lists.gnu.org/mailman/listinfo/fsfe-uk
